Karim Eldefrawy

Cryptography, Cybersecurity, Privacy

Co-founder and CTO at Confidencial.io
2017-2021: SRI
2011-2016: HRL Laboratories
2006-2010: PhD@UC Irvine

Scientific curiosity

Scientific knowledge map · Paper #35

Efficient, Reusable Fuzzy Extractors from LWE

Daniel Apon, Chongwon Cho, Karim Eldefrawy, and Jonathan Katz

2017 · International Symposium on Cyber Security Cryptography and Machine Learning (CSCML)

  • Theory
  • primitive
  • scheme

What does the paper try to establish?

How can a fuzzy extractor safely derive independent-looking keys from repeated, nearby biometric readings when an adversary sees multiple helper strings and may also learn keys from other enrollments?

What is the proposed answer?

The paper defines weak and strong reusability, breaks the independently parameterized LWE-based FMR fuzzy extractor after only two related enrollments, repairs it to weak reusability using a common public matrix, gives a random-oracle transform from weak to strong reusability, and constructs a direct strongly reusable LWE-based fuzzy extractor without random oracles.

Six dimensions, kept separate

The chart summarizes documented evidence and process. It is not a correctness probability, confidence score, or ranking, and no composite score is calculated.

The visual spider chart requires JavaScript. The complete values and rationales follow in text.

LowMediumHighN/A = not assessed

A smaller value means less documented support for that dimension, not that the paper is false or unimportant.

Epistemic evidence High

The complete paper supplies explicit security experiments, a concrete algebraic break, three positive constructions, theorem statements, and reduction sketches under identified assumptions. It does not provide machine-checked proofs, a concrete-security implementation, or empirical biometric validation.

Weak and strong reusability experiments Two-enrollment recovery attack on independently sampled matrices Common-matrix repair, Theorem 1, and strong-reuse separation Generic nonce-and-hash transformation and Theorem 2 Direct LWE construction without random oracles
Auditability High

A checked-in author copy with recorded SHA-256 and page count, an IACR ePrint route, the official DOI, and precise page anchors make definitions and derivations directly inspectable.

Repeated-biometric problem and contribution sequence Official CSCML publication identity
Production provenance Medium

Named authorship, affiliations, acknowledgments, venue, DOI, author copy, and ePrint identity are documented. Contributor roles, revision history, tool use, and exact version correspondence have not been audited.

Repeated-biometric problem and contribution sequence Official CSCML publication identity
External scrutiny Medium

CSCML publication and an IACR record establish external and public exposure, but review reports, rebuttal, independent proof checking, formal verification, and correction history were not located.

Official CSCML publication identity
Reception High

OpenAlex reported 42 citations on 2026-07-11. Under the author-defined corpus rule, more than 10 located citations is High. The count is index- and date-dependent and does not certify correctness.

Dated citation-count snapshot
Contribution significance High

The paper contributes new reusable-security definitions, a complete break of a natural prior construction, a weak/strong separation, and two routes to strong reusability; the dated citation record indicates sustained follow-on attention. Priority and adoption were not independently audited.

Repeated-biometric problem and contribution sequence Two-enrollment recovery attack on independently sampled matrices Dated citation-count snapshot

Assessment: Ai draft author review pending · 2026-07-11 · rubric 0.2. These dimensions describe documented support and process, not truth, correctness, or a universal ranking. No composite score is calculated.

Hierarchical knowledge map

Collapse a branch for a top-level reading, or follow its source links and child nodes to audit the evidence and boundaries underneath it.

paper

Efficient, Reusable Fuzzy Extractors from LWE

A foundations paper that identifies a concrete helper-data leakage failure, formalizes two levels of repeated-use security, and gives both repaired and new lattice-based fuzzy-extractor schemes.

Repeated-biometric problem and contribution sequence
  1. contribution

    Attack, repair, transform, and direct scheme

    source asserted

    Independent FMR public matrices enable complete recovery after two nearby enrollments; sharing one random matrix restores weak reusability, hashing nonce-bound extracted values gives strong reusability in the random-oracle model, and LWE encryption yields a direct standard-model construction.

    Two-enrollment recovery attack on independently sampled matrices Common-matrix repair, Theorem 1, and strong-reuse separation Generic nonce-and-hash transformation and Theorem 2 Direct LWE construction without random oracles
  2. scope Fuzzy-extractor model formally defined

    Gen maps a noisy source w to public helper data and an l-bit key; Rec reproduces that key from the helper data and any w-prime within distance t. Security asks whether the key is indistinguishable from uniform given helper data and sufficient source min-entropy.

    Fuzzy-extractor correctness and indistinguishability security
    1. definition

      Weak reusability

      defined

      An adaptive adversary selects bounded-Hamming-weight shifts of one hidden source and receives every resulting helper string; the original enrollment key must remain indistinguishable from uniform.

      Weak and strong reusability experiments
    2. definition

      Strong reusability

      defined

      The same experiment additionally reveals the extracted key for every shifted enrollment. Strong security therefore protects one target key even after compromise or legitimate disclosure of the others.

      Weak and strong reusability experiments
    3. assumption

      Shift-correlated Hamming sources

      modeling choice

      The new definitions specialize to a Hamming metric and adversarially chosen shifts of weight at most t. They do not cover every possible joint distribution of repeated biometric readings allowed by stronger prior formulations.

      Weak and strong reusability experiments
  3. method Analysis of the FMR extractor specified

    FMR publishes a random linear-code matrix A and As + w, extracts coordinates of s, and reconstructs s by decoding the difference between helper data and a nearby reading.

    Fuller-Meng-Reyzin extractor and decoder
    1. attack Two-helper-string recovery attack demonstrated

      For nearby w1 and w2 under independent A1 and A2, subtracting helper strings yields a noisy linear system in s1 and s2. Decoding recovers both secrets and then both original biometrics; the paper calls this a complete break of weak reusability.

      Two-enrollment recovery attack on independently sampled matrices
      1. limitation

        Parameter range of the attack

        analyzed

        The direct exposition uses m at least 6n, while the source argues the decoder also works with greater expected time for 3n through 6n and expects additional helper strings to strengthen attacks; this extension is argued rather than experimentally measured.

        Two-enrollment recovery attack on independently sampled matrices
  4. method Reusable extractor constructions constructed

    The paper supplies three distinct positive results with different setup and idealization requirements; weak repair, random-oracle bootstrapping, and the direct LWE scheme should be evaluated separately.

    Common-matrix repair, Theorem 1, and strong-reuse separation Generic nonce-and-hash transformation and Theorem 2 Direct LWE construction without random oracles
    1. scheme

      Common-matrix weakly reusable FMR

      theorem supported

      Reusing one uniformly generated public A across enrollments makes helper differences expose only s1 minus s2. Theorem 1 reduces simulated shifted helpers to ordinary FMR security and concludes weak reusability with the same error bound.

      Common-matrix repair, Theorem 1, and strong-reuse separation
    2. claim

      Weak does not imply strong reusability

      explicit counterexample

      In the common-A FMR repair, helper differences reveal s1 minus s2; learning coordinates of one s through a disclosed extracted key reveals the corresponding coordinates, and hence the other key. This gives a natural separation between the definitions.

      Common-matrix repair, Theorem 1, and strong-reuse separation
    3. scheme

      Generic weak-to-strong transform

      theorem supported

      Append a fresh nonce to the helper data and replace extracted r with H(nonce, r). Theorem 2 bounds strong-reuse advantage by weak-reuse error, guessing, and nonce-collision terms when H is a random oracle.

      Generic nonce-and-hash transformation and Theorem 2
    4. scheme

      Direct standard-model LWE scheme

      construction with reduction sketch

      Encode a random s as As + w, use s to LWE-encrypt an independent random key r, publish the encoding and ciphertext, and recover s from a nearby reading before decrypting r. No random oracle is used.

      Direct LWE construction without random oracles
  5. claim group Formal claims source asserted

    The claims range from an unconditional algebraic attack to reductions conditional on the base extractor, random-oracle idealization, or decisional LWE. Their premises are not interchangeable.

    Two-enrollment recovery attack on independently sampled matrices Common-matrix repair, Theorem 1, and strong-reuse separation Generic nonce-and-hash transformation and Theorem 2 Direct LWE construction without random oracles
    1. claim

      Random-oracle strong reusability

      theorem 2

      For a bounded-time attacker, the nonce-and-hash transform is strongly reusable with a stated asymptotic advantage bound combining the weak extractor's epsilon, extracted-key length, and nonce length.

      Generic nonce-and-hash transformation and Theorem 2
  6. evidence group Proof evidence formal analysis

    The source gives explicit experiments, algebraic attack derivations, theorem statements, construction algorithms, and reduction sketches. It contains no implementation, benchmark, biometric dataset, or concrete-parameter evaluation.

    Weak and strong reusability experiments Two-enrollment recovery attack on independently sampled matrices Generic nonce-and-hash transformation and Theorem 2 Direct LWE construction without random oracles
    1. evidence

      Attack derivation

      derivation inspected

      Subtracting the two public values eliminates the nearby readings up to a sparse error, producing a decodable random-linear-code instance; recovering s1 and s2 makes each wi equal to its public vector minus Ai si.

      Two-enrollment recovery attack on independently sampled matrices
  7. limitation group

    Scope and limitations

    material

    Positive results depend respectively on a shared public matrix, a random oracle, or a specific LWE-based encryption construction and coordinate-independent source distribution. Error tolerance inherits the FMR decoder's small-Hamming-error regime, and the paper does not validate real biometric noise.

    Fuller-Meng-Reyzin extractor and decoder Common-matrix repair, Theorem 1, and strong-reuse separation Generic nonce-and-hash transformation and Theorem 2 Direct LWE construction without random oracles
  8. scrutiny

    External scrutiny

    venue reviewed

    The work appeared at CSCML and is publicly archived. Venue review and later citations do not substitute for independent line-by-line verification of the attacks and reductions; no public review reports or formalization were located.

    Official CSCML publication identity Dated citation-count snapshot

Source index

Locators state the depth of the current audit. PDF page numbers, where present, are one-based file pages; metadata-, summary-, and abstract-bounded records explicitly identify their limitations.

  1. Repeated-biometric problem and contribution sequence Abstract and Sections 1-1.1, PDF pages 1-3
  2. Fuzzy-extractor correctness and indistinguishability security Definition 1 and surrounding discussion, PDF pages 4-5
  3. Weak and strong reusability experiments Definitions 2-3, PDF pages 5-6
  4. Decisional LWE assumption and simultaneous hardcore bits Definition 4 and Lemma 1, PDF pages 6-7
  5. Fuller-Meng-Reyzin extractor and decoder Section 3.1, PDF pages 7-8
  6. Two-enrollment recovery attack on independently sampled matrices Section 3.2, PDF pages 8-9
  7. Common-matrix repair, Theorem 1, and strong-reuse separation Section 3.3, PDF pages 9-10
  8. Generic nonce-and-hash transformation and Theorem 2 Section 4, PDF pages 10-11
  9. Direct LWE construction without random oracles Section 5, PDF pages 11-12
  10. Official CSCML publication identity CSCML 2017, LNCS chapter 1, DOI 10.1007/978-3-319-60080-2_1
  11. Dated citation-count snapshot OpenAlex reported 42 citing works when accessed 2026-07-11